Get-ADcomputer Confused with datetime, passwordlastset and less than operator

adrimus · February 8, 2022, 3:55pm

I am trying to find computers that have not communicated with a DC for a more than a certain amount of time. The problem is that if I specify 60 days I get some results. When I specify 50 days I get no results. I would have thought that I would get the same number of results or more. This is the script I’m using:

[CmdletBinding()]
param (
    
        [Parameter(HelpMessage="The amount of days since a computer has communicated with a Domain Controller")]
        [int]
        $days = 60
      
)
$lldate = [DateTime]::Today.AddDays(-$days)
Write-Verbose  "`$lldate is $lldate"


$stalecomputers = Get-ADComputer -Filter "PasswordLastSet -lt '$lldate'" -Properties PasswordLastSet | Select-Object name,PasswordLastSet | Out-String
Write-Output $stalecomputers

Another thing is that when I specify 30 days I get computer objects that have changed their password within 30 days, so something is not working correctly. I am stuck on this despite looking through google and I see this is what people are doing.

I have included in the script the part where I send an email of this list, thats why I have included Out-String at the end of the pipeline where I get the computers. Is there a better way to convert this into an email?

Any help would be appreciated.
Adrian

Olaf · February 8, 2022, 11:43pm

The syntax for the filter string for the AD cmdlets confuses me as well almost every time unless it is not something super easy.

This should work though:

[CmdletBinding()]
param (
    [Parameter(HelpMessage = 'The amount of days since a computer has communicated with a Domain Controller')]
    [int]$days = 60
)
$lldate = [DateTime]::Today.AddDays(-$days)
Write-Verbose  "`$lldate is $lldate"

$stalecomputerList = Get-ADComputer -Filter 'PasswordLastSet -lt $lldate' -Properties PasswordLastSet
$stalecomputerList | Select-Object Name, PasswordLastSet

I’d recommend to use a -SearchBase to reduse the stress you put on your AD.

adrimus · February 9, 2022, 10:39am

I tested using { brackets and got different results:

$DaysInactive = 60
$time = (Get-Date).Adddays( - ($DaysInactive))

Get-ADComputer -Filter "PasswordLastSet -lt '$time'" -Properties name,PasswordLastSet | select Name,PasswordLastSet

Name           PasswordLastSet
----           ---------------
q1            14/08/2021 09:39:56
PC33      11/05/2021 09:23:56
PC1          22/04/2021 09:29:14
PC2       18/03/2021 16:19:53
PC3      15/07/2021 10:02:09
TEST  04/11/2021 09:29:15

Get-ADComputer -Filter { PasswordLastSet -lt $time }  -Properties Name,PasswordLastSet | select Name,PasswordLastSet

Name           PasswordLastSet
----           ---------------
server          15/11/2021 21:33:59
q1            14/08/2021 09:39:56
PC33      11/05/2021 09:23:56
PC1          22/04/2021 09:29:14
PC2       18/03/2021 16:19:53
PC3  15/07/2021 10:02:09
PC4     22/11/2021 07:45:03
TEST 04/11/2021 09:29:15

I found that with the first command Get-ADComputer -Filter “PasswordLastSet -lt ‘$time’”, I don’t get accurate info, especially when I reduce the number of days to 30 I get results that show computers with a password last set within the 30 days.

Topic		Replies	Views
PasswordLastSet change format PowerShell Help	3	182	September 10, 2014
Getting badpasswordtime attribute PowerShell Help	2	253	July 12, 2017
powershell password expiry help PowerShell Help	3	184	September 4, 2017
AccountExpires n Get-AdComputert PowerShell Help	2	183	May 25, 2016
Format LastLogonDate PowerShell Help	5	196	July 3, 2014

Get-ADcomputer Confused with datetime, passwordlastset and less than operator

Related Topics